What is Two-Factor Authentication (2FA) and do you need it?

Two-Factor authentication (2FA) refers to a login process that requires more than just a password. We’re all used to the standard website login which is comprised of our username and password. Usernames are generally pretty easy to discover; in many cases it’s just our well-publicized email address or, in the case of forums, it’s the display name everyone can see. That means the only real protection you have against someone logging in as you is the strength of your password.We all know we should have strong passwords, right?

What is authentication, anyhow?

In order for you to gain access to something like your email, the email system has to be satisfied of two things. I’ve described them in more detail in the glossary at the end, but the high level view is this:

Authentication; sometimes abbreviated AuthN, which simply means you are who you say you are.

What’s the difference between two-factor authentication and two-step verification?

Many computer science students and philosophers would debate this into the wee hours of the morning and while there is a subtle difference, in practice it’s not a very big one. The main sticking point is that there is no concept of “verification” in authentication/authorization parlance. We have authentication and we have authorization. The introduction of the ambiguous term “verification” can lead to confusion over the difference between what someone knows and what someone has. Further, what does verification mean? Does it mean that the person has been identified (AuthN) or does it mean the person is allowed to access some resource (AuthZ)? We have adequate words for those concepts already.

A secondary point of confusion stems from the distinction between what a person has, and what a person knows. At face value it’s easy to think that something like a biometric second-factor that uses a fingerprint constitutes something the user has (they have their fingerprint). But, the use of fingerprints as a phone unlock mechanism has been debated in the US court system. Some judges feel that a fingerprint is implicit testimony and testimony is something someone knows, not something they have.

Both these concepts fall under the umbrella of Multi Factor Authentication (MFA) and both require you to have something else other than a password. It doesn’t matter whether that something else is a fingerprint, a one-time numeric sequence, or a Yubikey.

Why do we need something other than passwords?

There are three main ways that bad guys get your password. The first is to simply guess it. You may think that has a very unlikely chance of success but sadly many people use terribly weak passwords. I see a lot of passwords in my daily work life and there are far too many Chucks in the world with the password chuck123. The second way is to utilize a dictionary attack. The bulk of the remaining passwords for the billions of accounts in the world are comprised of a few thousand words. Bad guys run dictionary attacks against sites knowing that most of the accounts on that site will be using one of those common passwords. The third way is just steal the data. In the case of big sites it may be impractical to guess the passwords of millions of users. It may be easier to try to guess one password – that of the site administrator who has access to the rest of the data. Sometimes data theft is done without any passwords at all. A vulnerability in the website can be exploited to steal data.

Sites and systems that employ 2FA require a second factor in addition to your password to log in. At face value, that may seem silly. If passwords are so easily compromised, how much value can simply adding a second password bring to the table? It’s a good question that 2FA addresses. In most cases 2FA takes the form of a numeric code that changes every minute or can only be used once. Therefore, someone who manages to get your password won’t be able to log into your account unless they’ve also managed to obtain your current 2FA code. In this way, 2FA removes that human frailty of creating weak passwords and reusing them across services. It also protects against account data being stolen because even if the bad guy manages to steal all the usernames and passwords for a site, he still will not be able to log in to any of those accounts without that essential 2FA code for each user.

Why do I want to use two-factor authentication?

Consider that most password hacks happen over the internet. A dated, but usable, analogy is a bank robbery. Before the internet, robbing a bank was very difficult. You had to get a crew, case the bank to find the best time to rob it, obtain some weapons and disguises, and then actually carry out the robbery without getting caught. Today, the same bank robber can sit across the world and try to brute force your web banking account without you even being aware. If he can’t get in to your account, he just moves on to the next. There’s virtually no risk of getting caught and it requires almost no planning. With the introduction of 2FA, that bank robber has virtually no chance of succeeding. Even if he were to correctly guess your password, he would have to hop on a plane, track you down, and steal your 2FA device to get in. Once a physical impediment is introduced to a login sequence, it becomes orders of magnitude harder for the bad guy to succeed.

2FA requires you to provide two things: something you know and something you have. The something you know is your password. The something you have is the numeric code. Since the numeric code changes so frequently, anyone being able to provide the correct code at any moment is almost assuredly in possession of the code generating device. 2FA is proving to be very resilient to brute force password attacks, which is good news. The bad news is the very slow adoption rate. Each individual service has to decide to implement 2FA – it’s not something you can decide for yourself to use on every site. While an ever growing number of sites support 2FA now, many more do not. Surprisingly, very critical sites like banking and government sites have been very slow to adopt 2FA.

How does two-factor authentication work in practice?

If a service supports 2FA, it won’t be enabled by default. This is because there is an enrollment process required to set up 2FA for each site and without that enrollment process, users would simply be locked out of their account. You’ll want to delve into the security or login settings of your account and hope to find 2FA settings.

Note: it will be difficult to set up 2FA without a smartphone because the two main ways codes can be generated are:

sent via SMS (text) message

retrieved from an app running on the phone

SMS (text) message two-factor authentication

The advantages of using the SMS method is that it is nearly universal and is tied to your SIM card, not your phone. Almost all mobile phones accept text messages, even “dumb” phones that do not have apps installed on them. If you change phones, or your phone is damaged or lost, you can simply pop your SIM card into another phone and you’re good to go. The main disadvantage is that in order for SMS messages to get through, you must be within cellular range. Also, global travellers can have problems with the SMS method if they change their SIM cards in different countries because each SIM card would have a different phone number.

A more advanced disadvantage to SMS 2FA is that it’s not terribly hard for bad guys to infiltrate the SMS system and intercept codes, or use social engineering to call your mobile provider and have your number assigned to their SIM card. This type of nefariousness is usually reserved for people who are being deliberately targeted by an attacker rather than a normal run of the mill attack. There’s not much any security precaution can do for you if you’ve attracted the attention of sophisticated bad guys like that.

Two-factor authentication applications

There are a variety of 2FA apps on the market. The most popular is Google Authenticator, but competitors like Authy and LastPass also have 2FA apps. This type of product splintering does nothing to help the adoption of 2FA because companies have to spend time deciding which 2FA platform to use. Customers also have to be willing to install yet another 2FA app on their phones if a service uses a different 2FA platform than others.

To biggest pro to 2FA apps is that they do not need any type of internet or cellular connectivity to function. They simply display the necessary codes as needed. The down side to 2FA apps is that if you lose or damage your phone to the extent that you can’t get a code from it, you’re going to have a hard time getting in to your account.

Another small downside to 2FA apps is that each service needs to be set up individually. This normally means you just need to scan a QR barcode with the app but it can be more involved for some corporate implementations.

The best services offer both SMS and app 2FA, but those services are few and far between.

Two-factor authentication in enterprise

2FA has a better adoption rate in corporations than in public services. Many companies that have remote workers have strongly implemented 2FA. The most common and mature 2FA mechanism for corporations is the RSA SecurID. It has been around for years and can be installed as an app, or provided as a hardware dongle much like a USB stick with a screen showing the code. Another strong contender these days is Okta. Okta began focusing on Single Sign On (SSO) meaning users only had to log in once and can then access many third party services. Many corporations use SSO heavily and now that Okta offers 2FA, it is becoming more popular.

Glossary

Authentication (AuthN): You are who you say you are. This is where your username and password comes into play. Anyone who presents both of those things is deemed to be you. However, just being authenticated doesn’t mean you will be allowed to read your email.

Authorization (AuthZ): Once you’ve been authenticated (the system knows who you are), it can then determine what you’re allowed to access. In the case of logging in to your email, there’s really just one thing you’re there to do. But, consider an office scenario where you’re able to read some shared network drives, but not others. It’s the AuthZ layer that determines what you’re allowed to do but it can’t do that until you’re probably authenticated.

Using 2FA is a very good security measure and you should consider enabling it everywhere you can. The Two Factor Auth.org site has an interesting project that attempts to list the companies that support 2FA and provides an easy way to publicly shame companies that do not. If a service you currently use does not support 2FA, you may be able to find an alternate service that does.